Microsoft has disclosed details of a new social engineering campaign that uses Windows Terminal to launch a complex malware attack chain designed to deploy Lumma Stealer on targeted systems. According to Microsoft Threat Intelligence, the campaign was observed during February 2026 and forms part of a broader ClickFix operation that relies on deceptive instructions to convince users to execute malicious commands on their own devices. The attackers use methods that imitate legitimate troubleshooting or verification procedures, increasing the likelihood that unsuspecting users may follow the instructions and unknowingly trigger the attack.
Unlike earlier ClickFix techniques that instructed victims to open the Windows Run dialog and paste a command, this campaign uses a different approach by directing users to open Windows Terminal. Targets are asked to press the Windows and X keys followed by the I shortcut to launch Windows Terminal, identified as wt.exe, which opens a command interface commonly used by administrators. Microsoft said this approach allows the malicious instructions to blend into legitimate administrative activity, making them appear more trustworthy to users. The technique also helps attackers bypass detection systems that specifically monitor abuse of the Run dialog. Once the terminal window is open, victims are prompted by fake CAPTCHA pages, troubleshooting messages, or other verification style prompts that instruct them to copy and paste a command into the terminal session. The command provided by the lure page is hex encoded and compressed using XOR, allowing it to conceal its malicious functionality until it is executed on the target system.
When the command is pasted into Windows Terminal, it begins a multi stage attack sequence that uses additional Terminal and PowerShell instances to decode the script. After decoding, the script downloads a ZIP archive along with a legitimate 7 Zip binary that has been renamed with a randomized file name. The renamed tool is written to the system disk and used to extract the contents of the downloaded ZIP archive. This extraction initiates a longer attack chain designed to establish persistent access and collect sensitive information from the compromised device. Microsoft reported that the malware retrieves additional payloads, creates scheduled tasks to maintain persistence on the infected system, and modifies security settings by adding exclusions to Microsoft Defender. Once these steps are completed, the attack proceeds to gather system and network information before delivering Lumma Stealer. The malware is injected into running processes such as chrome.exe and msedge.exe using a technique known as QueueUserAPC. By operating inside trusted browser processes, the malware can capture sensitive browser data while remaining less visible to security monitoring tools.
Microsoft explained that Lumma Stealer is designed to collect high value browser artifacts, including stored login credentials and other data contained in browser databases such as Web Data and Login Data. This information is then transmitted to infrastructure controlled by the attackers. During its investigation, Microsoft also identified an alternative attack pathway associated with the same campaign. In this scenario, when the malicious command is executed within Windows Terminal it downloads a randomly named batch script into the AppData Local directory using cmd.exe. The script then writes a Visual Basic Script file into the system temporary folder, commonly referred to as the Temp directory. The batch script is executed using cmd.exe with the launched argument and later executed again through MSBuild.exe. Microsoft said this behavior represents abuse of living off the land binaries, also known as LOLBins, which allows attackers to carry out malicious activity using legitimate system tools.
Researchers also observed that the script communicates with Crypto Blockchain RPC endpoints, suggesting the use of an etherhiding technique to conceal malicious infrastructure. The script performs the same QueueUserAPC based code injection process targeting chrome.exe and msedge.exe in order to harvest browser stored credentials. Microsoft shared details of the campaign through posts on X by Microsoft Threat Intelligence, highlighting the growing use of social engineering tactics that exploit trusted system tools and legitimate workflows to trick users into executing malicious commands.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
